Risk and Threat Ratings in RUS-CERT Advisories

The risk and threat rating in RUS-CERT’s Security Announcements uses four values to express the result of the assessment done during the analysis of the issue described. The ratings are used for several assessment keys provoided in Annoucements.

Currently used Assessment Keys

(Technical) Risk

The technical risk describes the risk a problem in a worst-case scenario. It does not take into account extra aspects of an installation of a vulnerable system, e.g. firewalls limiting traffic on the attack vector. Thus, this assessment key provides a basis for further assessments that then can take such extra effects into account. (see the risk element in CAIF)

Threat

Based on the technical risk this assessment key also considers aspects like the number of deployments or typical configurations and hence the probability of the occurrence of an attack. (see the threat element in CAIF)

Ratings

The following rating values are used in RUS-CERT Security Announcements:

very high

The problem allows an attacker to gain administrative privileges or control the affected system or essential parts of it in another way, spy out sensitive data or damage the system severely (e.g. by destroying data) without the need of interactive and authenticated access.
In case of a vulnerability in a client system (e.g. a web browser) no active co-operation of its regular user or a configuration other than the defaults is necessary.

high

The vulnerability allows a ‘local’ attacker (regular but non-privileged user) to gain administrative privileges or control the affected system or essential parts of it in another way, spy out sensitive data or damage the system severely (e.g. by destroying data) without the need of interactive and authenticated access.
In case of a vulnerability in a client system (e.g. a web browser) no active co-operation of its regular user is necessary but the system must be configured in a special obviously unusual way, other than the defaults.

medium

The problem allows an unauthorized attacker to learn not sensitive data or perform a denial-of-service attack on an affected system. Also vulnerabilities that get dangerous after obviously questionable manipulation of the affected system are rated medium.

low

The exploitation of the problem leads to sub-optimal operation of the affected system (e.g. short-time disturbance of availability of a service) but not to severe consequences.

Other Rating Systems

In some announcements RUS-CERT uses CVSS as an additional rating system.